ci(deps): bump the actions-core group across 1 directory with 7 updates

[dependabot]

Bumps the actions-core group with 7 updates in the / directory:

Package	From	To
actions/checkout	4.3.1	7.0.0
actions/setup-node	4.4.0	6.4.0
actions/cache	4.3.0	5.0.5
actions/upload-artifact	4.6.2	7.0.1
actions/download-artifact	4.3.0	8.0.1
actions/setup-python	5.6.0	6.2.0
actions/attest-build-provenance	2.2.2	4.1.0

Updates actions/checkout from 4.3.1 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

• block checking out fork pr for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462
• getting ready for checkout v7 release by @​aiqiaoy in actions/checkout#2464
• update error wording by @​aiqiaoy in actions/checkout#2467

New Contributors

• @​aiqiaoy made their first contribution in actions/checkout#2454

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

• Update changelog by @​ericsciple in actions/checkout#2357
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414
• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• Update changelog for v6.0.3 by @​yaananth in actions/checkout#2446

New Contributors

• @​yaananth made their first contribution in actions/checkout#2414

Full Changelog: actions/checkout@v6...v6.0.3

v6.0.2

What's Changed

• Add orchestration_id to git user-agent when ACTIONS_ORCHESTRATION_ID is set by @​TingluoHuang in actions/checkout#2355
• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

• Block checking out fork PR for pull_request_target and workflow_run by @​aiqiaoy in actions/checkout#2454
• Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the minor-actions-dependencies group across 1 directory by @​dependabot[bot] in actions/checkout#2458
• Bump flatted from 3.3.1 to 3.4.2 by @​dependabot[bot] in actions/checkout#2460
• Bump js-yaml from 4.1.0 to 4.2.0 by @​dependabot[bot] in actions/checkout#2461
• Bump @​actions/core and @​actions/tool-cache and Remove uuid by @​dependabot[bot] in actions/checkout#2459
• upgrade module to esm and update dependencies by @​aiqiaoy in actions/checkout#2463
• Bump the minor-npm-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in actions/checkout#2462

v6.0.3

• Fix checkout init for SHA-256 repositories by @​yaananth in actions/checkout#2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in actions/checkout#2414

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

... (truncated)

Commits

• 9c091bb update error wording (#2467)
• 1044a6d getting ready for checkout v7 release (#2464)
• f028218 Bump the minor-npm-dependencies group across 1 directory with 3 updates (#2462)
• d914b26 upgrade module to esm and update dependencies (#2463)
• 537c7ef Bump @​actions/core and @​actions/tool-cache and Remove uuid (#2459)
• 130a169 Bump js-yaml from 4.1.0 to 4.2.0 (#2461)
• 7d09575 Bump flatted from 3.3.1 to 3.4.2 (#2460)
• 0f9f3aa Bump actions/publish-immutable-action (#2458)
• f9e715a block checking out fork pr for pull_request_target and workflow_run (#2454)
• df4cb1c Update changelog for v6.0.3 (#2446)
• Additional commits viewable in compare view

Updates actions/setup-node from 4.4.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

• Upgrade @​actions dependencies by @​Copilot in actions/setup-node#1525
• Update Node.js versions in versions.yml and bump package to v6.4.0 by @​priya-kinthali in actions/setup-node#1533

New Contributors

• @​Copilot made their first contribution in actions/setup-node#1525

Full Changelog: actions/setup-node@v6...v6.4.0

v6.3.0

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in actions/setup-node#1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in actions/setup-node#1491
• Replace uuid with crypto.randomUUID() by @​trivikr in actions/setup-node#1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in actions/setup-node#1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in actions/setup-node#1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in actions/setup-node#1495

New Contributors

• @​susnux made their first contribution in actions/setup-node#1283

Full Changelog: actions/setup-node@v6...v6.3.0

v6.2.0

What's Changed

Documentation

• Documentation update related to absence of Lockfile by @​mahabaleshwars in actions/setup-node#1454
• Correct mirror option typos by @​MikeMcC399 in actions/setup-node#1442
• Readme update on checkout version v6 by @​deining in actions/setup-node#1446
• Readme typo fixes @​munyari in actions/setup-node#1226
• Advanced document update on checkout version v6 by @​aparnajyothi-y in actions/setup-node#1468

Dependency updates:

• Upgrade @​actions/cache to v5.0.1 by @​salmanmkc in actions/setup-node#1449

New Contributors

• @​mahabaleshwars made their first contribution in actions/setup-node#1454
• @​MikeMcC399 made their first contribution in actions/setup-node#1442
• @​deining made their first contribution in actions/setup-node#1446

... (truncated)

Commits

• 48b55a0 Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)
• ab72c7e Upgrade @​actions dependencies (#1525)
• 53b8394 Bump minimatch from 3.1.2 to 3.1.5 (#1498)
• 54045ab Scope test lockfiles by package manager and update cache tests (#1495)
• c882bff Replace uuid with crypto.randomUUID() (#1378)
• 774c1d6 feat(node-version-file): support parsing devEngines field (#1283)
• efcb663 fix: remove hardcoded bearer (#1467)
• d02c89d Fix npm audit issues (#1491)
• 6044e13 Docs: bump actions/checkout from v5 to v6 (#1468)
• 8e49463 Fix README typo (#1226)
• Additional commits viewable in compare view

Updates actions/cache from 4.3.0 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
• e340396 Update RELEASES
• 8a67110 Add licenses
• 1865903 Update dependencies & patch security vulnerabilities
• 5656298 Merge pull request #1722 from RyPeck/patch-1
• 4e380d1 Fix cache key in examples.md for bun.lock
• Additional commits viewable in compare view

Updates actions/upload-artifact from 4.6.2 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

... (truncated)

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.3.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/download-artifact#440
• Download Artifact Node24 support by @​salmanmkc in actions/download-artifact#415
• fix: update @​actions/artifact to fix Node.js 24 punycode deprecation by @​salmanmkc in actions/download-artifact#451
• prepare release v7.0.0 for Node.js 24 support by @​salmanmkc in actions/download-artifact#452

... (truncated)

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates actions/setup-python from 5.6.0 to 6.2.0

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

• Upgrade dependencies to Node 24 compatible versions by @​salmanmkc in actions/setup-python#1259
• Upgrade urllib3 from 2.5.0 to 2.6.3 in /__tests__/data by @​dependabot in actions/setup-python#1253 and actions/setup-python#1264

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

• Add support for pip-install input by @​gowridurgad in actions/setup-python#1201
• Add graalpy early-access and windows builds by @​timfel in actions/setup-python#880

Dependency and Documentation updates:

• Enhanced wording and updated example usage for allow-prereleases by @​yarikoptic in actions/setup-python#979
• Upgrade urllib3 from 1.26.19 to 2.5.0 and document breaking changes in v6 by @​dependabot in actions/setup-python#1139
• Upgrade typescript from 5.4.2 to 5.9.3 and Documentation update by @​dependabot in actions/setup-python#1094
• Upgrade actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pip-install input by @​dependabot in actions/setup-python#1199
• Upgrade requests from 2.32.2 to 2.32.4 by @​dependabot in actions/setup-python#1130
• Upgrade prettier from 3.5.3 to 3.6.2 by @​dependabot in actions/setup-python#1234
• Upgrade @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel by @​dependabot in actions/setup-python#1235

New Contributors

• @​yarikoptic made their first contribution in actions/setup-python#979

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

... (truncated)

Commits

• a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
• bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
• 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
• 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
• bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
• 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
• 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
• cfd55ca graalpy: add graalpy early-access and windows builds (#880)
• bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
• 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
• Additional commits viewable in compare view

Updates actions/attest-build-provenance from 2.2.2 to 4.1.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v4.1.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Update RELEASE.md docs by @​bdehamer in actions/attest-build-provenance#836
• Bump actions/attest from 4.0.0 to 4.1.0 by @​bdehamer in actions/attest-build-provenance#838
  • Bump @actions/attest from 3.0.0 to 3.1.0 by @​bdehamer in actions/attest#362
  • Bump @actions/attest from 3.1.0 to 3.2.0 by @​bdehamer in actions/attest#365
  • Add new subject-version input for inclusion in storage record by @​bdehamer in actions/attest#364
  • Add storage record content to README by @​bdehamer in actions/attest#366

Full Changelog: actions/attest-build-provenance@v4.0.0...v4.1.0

v4.0.0

[!NOTE] As of version 4, actions/attest-build-provenance is simply a wrapper on top of actions/attest.

Existing applications may continue to use the attest-build-provenance action, but new implementations should use actions/attest instead.

What's Changed

• Prepare v4 release by @​bdehamer in actions/attest-build-provenance#835

Full Changelog: actions/attest-build-provenance@v3.2.0...v4.0.0

v3.2.0

What's Changed

• Bump @​actions/core from 1.11.1 to 2.0.1 by @​dependabot[bot] in actions/attest-build-provenance#776
• Add more documentation on Artifact Metadata Storage Records by @​malancas in actions/attest-build-provenance#797
• Update actions/attest to latest version v3.2.0 by @​malancas in actions/attest-build-provenance#812

Full Changelog: actions/attest-build-provenance@v3.1.0...v3.2.0

v3.1.0

What's Changed

• Prepare v3 release by @​bdehamer in actions/attest-build-provenance#697
• Bump js-yaml from 3.14.1 to 3.14.2 by @​dependabot[bot] in actions/attest-build-provenance#749
• Bump tar from 7.5.1 to 7.5.2 by @​dependabot[bot] in actions/attest-build-provenance#753
• Bump glob from 10.4.5 to 10.5.0 by @​dependabot[bot] in actions/attest-build-provenance#754
• Bump @​types/node from 24.10.1 to 25.0.2 by @​dependabot[bot] in actions/attest-build-provenance#774
• Bump @​actions/attest from 1.6.0 to 2.0.0 by @​dependabot[bot] in actions/attest-build-provenance#736
• Bump @​actions/attest from 2.0.0 to 2.1.0 by @​dependabot[bot] in actions/attest-build-provenance#775
• Add support for creating artifact metadata storage records by @​malancas in actions/attest-build-provenance#779

New Contributors

... (truncated)

Commits

• a2bbfa2 bump actions/atte...

  Description has been truncated

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions, security. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[otReviewAgent]

💡 Suggestion: The action pins are repeated across many jobs and workflow files, so this bump required changing the same checkout/setup-node/artifact/cache refs in dozens of places. Consider extracting the common checkout/pnpm/node setup and artifact download/upload patterns into local composite actions or reusable workflows so future action upgrades have one source of truth and less drift risk.